siderolabs
util-linux support
Feature Request
Include nsenter as a host program.
Description
In some cases some programs like CNI require nsenter to be on the host to operate.
Notes
Related:
- https://github.com/linkerd/linkerd2/issues/7945
I'm not sure I fully understand the issue. CNI runs in fact on the host, it doesn't need nsenter, as it's already in the host namespace.
If nsenter is required, it could be shipped with the CNI container (as I guess nsenter happens from some privileged container), that's how home storage provider plugins work.
I don't think we really want to ship nsenter with Talos, as certainly doing nsenter is a going backwards in terms of the security.
Does the reply here make some sense https://github.com/linkerd/linkerd2/issues/7945#issuecomment-1058122415 possibly as to why CNI's like Linkerd require this?
Without something like this it looks like Talos wouldn't support Linkerd as a CNI?
I think we should avoid including nsenter into base Talos filesystem, but nothing stops from shipping that as a system extension for those who need that: https://github.com/siderolabs/extensions
This whole CNI story is certainly a security mess in general (not only Linkerd, but any CNI): dropping random binaries on the host, running them with basically root privileges. With Talos what one can do is to bundle CNI binaries and anything else which is required as a system extension, and install that as needed. This should allow to keep root filesystem read-only.